I've Been Mugged Blog

Since IBM notified me about their data breach, I've paid more attention to Identity Theft legislation in Massachusetts, where I live and work. If you live in Massachusetts, then this new law affects you. If you live in another state, this is an opportunity to evaluate your state's identity theft laws.

Before Massachusetts' new ID-theft law becomes effective in November 2007, I wanted to understand the details and what to expect. Of course, I want to judge how well my state implements this new law.

So, I read both the Massachusetts House and Senate draft versions of the proposed law, plus the final version of the new law. This helped me understand the features and benefits of the new law (and which features didn't made it into the final version of the new law). Negotiations between state lawmakers, companies, and credit bureaus weren't covered much in the local news media, but I firmly believe that it affected the features in the new law.

If you want to read the new law, see the St.2007, c.82: Security Freezes and Notification of Data Breaches. The link is also listed in the right column under "Massachusetts Resources." The major features in Massachusetts' new identity theft law:

• Personal data to be protected: regardless of the format it is stored in, the personal data companies and state agencies must protect includes first name and last name or first initial and last name of a resident with the resident's SS#, driver's license number, state identification number, financial account data (e.g., debit or credit card number in combination with or without a security code, access code, or password)
• Data breach notification for consumers: companies and government agencies must notify as soon as possible affected Massachusetts residents whose personal data (e.g., SS#, driver's license number, etc.) have been lost or stolen. Notice is triggered by unauthorized access to the personal data, regardless of whether there is a likelihood of harm. It doesn't matter if the data is encrypted or not.
• Data breach notification: Companies and state agencies must also notify the Massachusetts Director of Consumer Affairs and the Attorney General. The notice must describe the nature of the data breach, the number of Massachusetts residents affected, and any steps taken relating to the data breach. The notice to consumers does not have to include these details
• New "Security Freeze" option: allows consumers to "lock" their credit reports to prevent identity thieves from fraudulently creating new accounts in their names. This option is free for ID-theft victims; up to $5 for others. Credit bureaus must provide a PIN within 5 days of the consumer's Security Freeze request. The PIN is used by the consumer to control access to their credit report. Credit bureaus must implement a Security Freeze within 3 days of the consumer's request; and lift (or remove) the freeze within the same number of days
• Disposal of records with personal data: the new law sets rules about the proper destruction of records by companies and government agencies
• Consumer access to police report: local police must provide ID-theft victims with a copy of their police report within 24 hours, even if the identity theft occurred elsewhere. This provision of the law takes effect February 3, 2008 and not in November 2007 with the rest of the law

This is great news and a huge step forward. Previously, data breach notification was not required. Now, it is. The Security Freeze provision offers better and stronger protection than the existing Fraud Alert tool from the credit bureaus. However, there are some limitations in the law:

• The new law does not specify exactly how quickly (e.g., number of days, weeks, or months) data breach notification must be sent. Notice must be sent in writing to each Massachusetts resident affected by a data breach. In my opinion, speed is important since identity thieves act quickly
• Possible loophole: "substitute notice." The law reads, "Notice shall include: (iii) substitute notice, if the person or agency required to provide notice demonstrates that the cost of providing written notice will exceed $250,000, or that the affected class of Massachusetts residents to be notified exceeds 500,000 residents, or that the person or agency does not have sufficient contact information to provide notice." Additionally, the company or government agency can notify ID-theft victims via e-mail, a posting on a web site, publication in broad news media, or via the state department of consumer affairs
• The "substitute notice" feature could be a problem for former employees and retirees. While consumers who are stockholders or have a retirement account with their former employer likely monitor the merger/acquisition/name changes of their former employer, others may not. Consumers who don't monitor the merger/acquisition/name change of a former employer may not recognize the substitute notice from the new company
• The new law doesn't state what the penalties are for credit bureaus that violate the Security Freeze features. Section 9 of the new law reads, "You may be entitled to collect compensation, in certain circumstances, if you are damaged by a person's negligent or intentional failure to comply with the credit reporting act." May be? To me, penalties are important should a credit bureau fail to implement a Security Freeze within the days specified, or discloses a consumer's credit report despite an in-place Security Freeze
• The new law doesn't state whether or not the Security Freeze feature applies to C.L.U.E. reports. The new law does mention "consumer reporting agency" which probably applies to ChoicePoint, the dominant C.L.U.E. reports provider
• Disposal of records feature: the penalty for violators seems very weak, in my opinion. the law reads, "Any person or agency who violates the provisions of this chapter shall be subject to a covol fine of not more than $100 per data subject affected, provided said fine shall not exceed $50,000 for each instance of improper disposal." $100? Geez! We need stronger laws here to encourage compliance, not weak laws to undermine compliance.
• The new law doesn't state whether the Massachusetts department of justice will post data breach notices online, like New Hampshire does

What do you think of the new law? How does it compare to your state's ID-theft law? Has your former employer provided substitute notice? I've Been Mugged readers want to know.

Next entry: data breaches and lawsuits